Latest posts by Paul Schnackenburg (see all)
- Office 365 Secure Score – Securing Exchange Online - Thu, Aug 3 2017
- Office 365 Secure Score - Reporting and monitoring - Tue, Aug 1 2017
- Office 365 Secure Score - MFA for users and auditing - Mon, Jul 31 2017
The aim of Secure Score is to gamify the security controls Microsoft offers and earn points as you turn them on. It also lets you compare your tenant's score to how others are doing.
I suggest you follow along in your own tenant. But if you already have a production tenant with lots of users, please try these steps out in a trial tenant first before you carefully guide your fellow administrators and users down the security path.
Get started with MFA for administrators ^
Start by logging in to your tenant at https://portal.office.com. You won't find Secure Score in the main admin center nor in the Security and Compliance area. You have to go to https://securescore.office.com instead.
There are two tabs: one provides your current score, and one tracks the changing score over time. On the first tab is a list of actions you can take to improve your score and secure your tenant. My tenant is starting off at 26 points. Microsoft suggests a target of 297 (with a max of 432). Achieving 297 will take me 26 different actions, so let's get started. Note that the average Office 365 tenant Secure Score sits at 29!
A slider lets you set your target score. If I slide it all the way to the right, the max score goes up to 432, but I will have 52 actions to take. Actions listed as [Not Scored] increase the security of your tenant but do not improve your score because they're not wired up to the Secure Score portal (yet).
Protecting your admin accounts with MFA ^
The action at the top of the list enables MFA for all global admins in the tenant. This is the only action worth 50 points. This makes sense because if there's a breach to one of your global admins, it's essentially game over. This is similar to a hacker obtaining DA or domain admin credentials in an on-premises breach. It's worthwhile protecting your administrators.
I click Learn more, which opens a blade with more information of the impact of this change, who it is going to affect, and the ability to inform the affected users. Clicking Launch Now takes me to an Azure Active Directory (AAD) page where I can enable MFA for my two global admin users.
After doing that, take a look at the Settings tab. You can also elect to have specific trusted devices remember a successful MFA for a number of days; I picked 7. This does introduce a somewhat higher risk for lost or stolen devices, in which case you'll need to restore MFA to all devices quickly.
The main setting to consider is to define IP address ranges of your intranets that don't require MFA. This will vastly reduce your users' irritation factor with MFA because it will only prompt them when out of the office.
You can also turn off specific verification methods out of the four available: call to phone, text message to phone, mobile app notification, or verification code from mobile app. Out of these the second one will be the one your security team may have issues with. The SMS network worldwide is about as full of holes as a Swiss cheese, and many successful attacks have exploited this. But don't let that deter you; having MFA turned on even with SMS messages is much better than not having it enabled at all.
Log out of the Office 365 admin portal and then log back on. It will prompt you to configure MFA for your account. Clicking Set it up now will take you to a screen where you can pick a call or text to your mobile, call to a landline, or use the mobile app.
I told it to Call me on my mobile, clicked Next, received the call, and pressed the pound key to verify. The last screen provides the app password to use for applications that don't support MFA directly.
Complete your login to the admin portal with another MFA prompt, and you're now ready to administer more securely. If you haven't set up contact details for the account such as a mobile phone and non-Office 365 email address, it will prompt you for these.
Another wrinkle to take into account is PowerShell, if your administrators use this to manage your Office 365 tenant. You can find instructions for Exchange online access with MFA here. Don't expect immediate updates to your score. Secure Score evaluates it once a day at 1:00 a.m. PST, and it can take several days for your score to go up.
The best option for MFA is probably the Authenticator app, available for iOS, Android, and Windows Phone. To enable this as an option for your account, go to https://myapps.microsoft.com, log in, and click your name in the top right-hand corner. Pick Profile and select Additional security verification, and then click Authenticator app and Configure.
A quick response (QR) code will display on the screen of your PC. In the Authenticator app on your phone, pick Add school or work account, and let your phone camera scan the QR code. After doing this, you can use the app to verify an MFA prompt instead of a phone call or texted code. On modern iPhones, you can also use the fingerprint scanner to verify an MFA prompt.
Sander Berkouwer wrote an excellent series on Azure MFA here at 4sysops. In the next post, we'll look at MFA for end users and enabling audit logging for your Office 365 tenant.